Viruses and Ransomware combine in a new Zcrypt infection!

Zcrypt is a new malware hybrid. It can self-replicate as a virus and encrypt files like a ransomware.

Security experts have have been alarming about new dangerous malware, which has recently been spotted to distribute itself. The name of the threat is Zcrypt and this is a totally new variant of malware that combines the features of the two most dangerous online threats – viruses and ransomware. Yes, you got it right. This seems to be a new hybrid that can self-replicate as a virus and encrypt files like a ransomware.

Typically, ransomware arrives via email, usually through malicious attachment or a Trojan horse that introduce it into the system. This does not apply to the Zcrypt hybrid, which can copy itself onto removable drives such as USB or external drive. This allows it to infect other machines and encrypt their data as well. This technology of spreading malware is not something new, but when implemented by ransomware the results could be devastating.

This new hybrid is using the Nullsoft Scriptable Install System. It works like a Zip file, decompressing and loading the content while running. It’s worth noting that CryptoLocker hackers also used the Nullsoft installer for their ransomware last year.

Zcrypt “virus-ransomware” encrypts files with the .zcrypt extension. It is nor forgiving to any private data and locks everything – photos, documents, database, etc. Once the encryption is finished, a ransom note appears on the screen of the victims, revealing the infection. The ransom of 1.2 Bitcoins, which is about $500 dollars, is requested within four days. In case the deadline is not met, the hackers threaten to destroy the decryption key and leave the data locked forever.

The hybrid displays different behavioral patterns than most ransomware that has been spreading around until now. Zcrypt tries to create autorun.inf in the connected drive or network drive. This enables the malware to self-replicate and infect more computers without human interaction by automatically launching a file called “invoice.exe” as soon as an external drive is plugged in. Also, it does not perform directory traversal when looking for files to encrypt and does not delete its own executable or shadow copies.

However, Zcrypt overrides the targeted files twice. First, it corrupts them and then it encrypts them. These two steps ensure that users cannot use disk recovery tools and make the recovery of the files much harder.

And it does not stop here. Zcrypt watches for changes to the file system and encrypts any new file that has been added or changed. This means that victims cannot use their computers until the infection is totally removed, because any new file gets automatically encrypted within a few seconds while the hybrid in on the machine.

This new combination of viruses and ransomware functionalities comes to point out that, unfortunately, there are a lot more possibilities for ransomware to improve and infect more systems. Having this in mind now is a good time for people that are not using port protection software to disable automatic execution of the external devices and keep a safe copy of their data somewhere else. Backup has always been and will remain the definite trump card against all kinds of malicious data tampering from malware programs.